Trade Secrets Of A Developer / Entrepreneur

OpenSSL, HeartBleed And Ubuntu: The Version #’s Don’t Match.

I spent a few hours last night patching OpenSSL on my servers for this site, WatchMeCode, etc. It was a pain. The worst part about it, though, was not recompiling things and actually getting the servers patched. The worst part was all the confusion about version numbers.

HeartBleed

If you haven’t heard of it yet, you need to get yourself over to HeartBleed.com right now. Basically, if you’re using OpenSSL (and who isn’t?) then your servers are vulnerable to attack and having your SSL keys stolen. You need to fix this ASAP by updating your OpenSSL version, recompiling anything that is built against OpenSSL and re-issuing your SSL certificates with keys.

Yeah, it’s a pain. But it’s necessary.

The Version Problem

The real problem I ran in to last night was version numbers, like I said.

When you look around the internet, you’ll see that everyone says to update OpenSSL to version 1.0.1g – note the “g” – this is the important bit. Everyone says that if you have anything below this letter, then you’re vulnerable. Of course my servers were vulnerable at v1.0.1c.

Except…

I’m running Ubuntu for both DerickBailey.com and WatchMeCode.net and when I updated my OpenSSL build, I didn’t get v1.0.1g installed. I ended up with v1.0.1e – and a full on panic attack following that. How am I supposed to get v1.0.1g when apt-get only gives me v1.0.1e?!

The Real Version Number

It turns out Ubuntu didn’t update the letter at the end of the version number, when they applied the patch for v1.0.1… or something like that. I’m still not 100% clear on this. But here’s what I do know:

If you are on Ubuntu and you follow all the right steps to update OpenSSL, you will end up with v1.0.1e – and that’s ok.

The thing that you need to check is the LibSSL version, which can be done like this:

The output I get on my servers is:

The important thing to note, here, is the “Version” number at line 8: 1.0.1e-3ubuntu1.2

Check The Patch

As Dan Tao points out in the comments below, this is a frustrating situation trying to figure out if you are safe or not. In the case of Heartbleed, there are tools the check the actual vulnerability and not just the version number checks, hoping you have the right version number. I used http://filippo.io/Heartbleed/ to check my servers and got back green reports saying I’m good to go, after doing the updates.

About Derick

Derick Bailey is a developer, entrepreneur, author, speaker and technology leader in central Texas (north of Austin). He's been a professional developer since the late 90’s, and has been writing code since the late 80’s. Derick has built software for organizations of all shapes and sizes, including contributions to Microsoft's MDSN library, running several very highly regarded open source projects, creating software solutions for large financial organizations, healthcare orgnaizations, world-class airlines, the U.S. government, and more. These days, Derick spends most of his time working on content for his own entrepreneurial efforts at WatchMeCode.net, playing video games when he gets a chance, and writing code for for his few remaining clients. You can reach Derick at DerickBailey.com or on twitter, @derickbailey.